Help removing a virus/malware or something

Started Jul 20, 2011 | Discussions thread
Jim Cockfield Forum Pro • Posts: 16,342
linux live CDs

CTR1 wrote:

I have ran sophos anti virus, malwarebytes, temp file cleaner (TFC), OTL, process explorer, and gmer. anything they detected that I couldnt verify by looking at the path/directory i had quarantined/removed. I manually removed a couple .exe things as well.

OK... just to make sure we understand...

You had a lot of malware that was detected initially by some of the AV products; and after removing everything that could be found, you're still having some issues, right?

The malware may have done some registry modifications causing problems with MSE, modified your hosts file, installed more malware including hard to detect root kits, etc.

Frankly, if it were my machine, I'd overwrite the boot sector and reinstall Windows from scratch (or restore from a known clean disk image backup I have with most of my software already installed), rather than risking that malware is still on my machine.

If you really want to continue checking for malware, try running Malwarebytes in Safe mode if you haven't already.

http://www.malwarebytes.org/mbam.php

If it doesn't find anything, try the free version of SuperAntiSpyware:

http://www.superantispyware.com/

Then, I'd boot into a Linux based Rescue CD so I'd be scanning from a clean operating system. I'd try Dr. Web first, as it's better than most with boot sector malware and hard to detect root kits. Once your infected with boot sector malware, it can be hard to detect unless you're booting into a known clean operating system to perform the scans, since it's loading early enough to return false information to disk queries, etc. Here's where you can get it:

http://www.freedrweb.com/livecd/?lng=en

Basically, download the .iso file you'll see in the folder that comes up. Then, use something like iso recorder to burn it to CD. After you install isorecorder, when you "right click" on the downloaded .iso file from windows explorer (go to the folder you saved the Dr. Web .iso file to using "My Computer" and right click on the .iso file), you'll see a new menu choice labeled "Copy Image to CD/DVD" that can burn the .iso file to CD.

http://isorecorder.alexfeinman.com/isorecorder.htm

Then, after you burn the Dr. Web .iso to CD, reboot your PC with the CD inserted. If it doesn't boot into the CD, you may need to go into your PC's BIOS setup and change the boot order so that it looks to the CD first.

If Dr. Web doesn't find anything, try the Avira Rescue CD (and after an infection, I'd suggest scanning using it's Live CD version anyway). It works on the same principle. Basically, you're bypassing Windows entirely when you boot into a Linux Live CD. So, you can scan and disinfect the Windows drive without the malware being loaded (since you're booting into an operating system running from CD). Here's where you can get the .iso file for the Avira CD:

http://dlpro.antivir.com/package/rescue_system/common/en/rescue_system-common-en.iso

Here are more products you may want to boot into and perform scans from:

http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk10/

http://download.bitdefender.com/rescue_cd/

http://www.avg.com/us-en/avg-rescue-cd

Another way to do the same thing is to remove the drive and install it as a second drive in another PC. Then, boot into that PCs clean drive with Windows on it, and scan the compromised drive using popular AV tools. That way, you're not loading anything from the infected drive.

But, again, if it were my PC that was infected by malware, I'd format the drive (making sure to repartition it so that I'm overwriting the master boot record and partition table), and reinstall Windows and Programs from scratch (or restore from a disk image backup).

-- hide signature --

JimC

Keyboard shortcuts:
FForum PPrevious NNext WNext unread UUpvote SSubscribe RReply QQuote BBookmark MMy threads
Color scheme? Blue / Yellow